Field of the Invention
Embodiments of the present invention generally relate to computer systems, more particularly, to a method and apparatus for detecting malware on a computer system.
Description of the Related Art
Software designed to infiltrate a computer system without authorization is typically referred to as “malware”. Such software includes computer viruses, worms, Trojan horses, spyware, adware, and the like known in the art. Software designed to detect and mitigate malware is generally referred to herein as “anti-virus (AV)” software. Current AV software can employ two techniques for detecting malware: (1) signature-based detection; and (2) behavior-based detection. Both techniques have their limitations. For example, signature-based techniques require a malware sample so that a “signature” of the malware can be created and used by computer systems for use in detecting the malware. Signature-based techniques are ineffective in dealing with advanced malware threats, such as polymorphic, obfuscated, packed malware threats, or like type threats for which it is difficult or impossible to create signatures. Further, it is inefficient or impossible to create signatures for the several millions of new malware released each year. Behavior-based techniques also require a malware sample, but can identify variants of known malware if the variants exhibit the same behavior. Authors of malware, however, have begun to introduce changes in behavior in the variants of malware in order to escape behavioral detection.
Accordingly, there exists a need in the art for a method and apparatus for detecting malware on a computer system that overcomes the disadvantages associated with pure signature-based and behavior-based malware detection techniques.